Merge pull request #4393 from wireapp/release_2024-12-30_08_50

Release 2024-12-30 - (expected chart version 5.9.0)

.envrc

@@ -17,16 +17,16 @@ export NIX_CONFIG='extra-experimental-features = nix-command'
 
 [[ -d "$layout_dir" ]] || mkdir -p "$layout_dir"
 
-if [[ ! -d "$env_dir" || ! -f "$layout_dir/nix-rebuild" || "$store_paths" != $(< "$layout_dir/nix-rebuild" ) ]]; then
+if [[ ! -d "$env_dir" || ! -f "$layout_dir/nix-rebuild" || "$store_paths" != $(<"$layout_dir/nix-rebuild") ]]; then
   bcmd=nix
-  if command -v nom &> /dev/null; then
+  if command -v nom &>/dev/null; then
     if [[ "${USE_NOM}" != "0" ]]; then
       bcmd=nom
     fi
   fi
   echo "🔧 Building environment"
   $bcmd build -f nix wireServer.devEnv -Lv --out-link ./.env
-  echo "$store_paths" > "$layout_dir/nix-rebuild"
+  echo "$store_paths" >"$layout_dir/nix-rebuild"
 fi
 
 PATH_add "./.env/bin"
@@ -49,8 +49,13 @@ export LANG=en_US.UTF-8
 export RABBITMQ_USERNAME=guest
 export RABBITMQ_PASSWORD=alpaca-grapefruit
 
-# Redis
+export RABBITMQ_USERNAME_V0=guest
+export RABBITMQ_PASSWORD_V0=alpaca-grapefruit
+
+export RABBITMQ_USERNAME_V1=guest
+export RABBITMQ_PASSWORD_V1=alpaca-grapefruit
 
+# Redis
 export REDIS_PASSWORD=very-secure-redis-cluster-password
 export REDIS_ADDITIONAL_WRITE_PASSWORD=very-secure-redis-master-password
 

.github/workflows/ci.yml

@@ -11,9 +11,10 @@ jobs:
       id-token: write
       contents: read
     steps:
-     - uses: actions/checkout@v2
+     - uses: actions/checkout@v4
        with:
          submodules: true
+         token: '${{ secrets.GH_DOCS_WORKFLOW }}'
      - uses: cachix/install-nix-action@v27
      - uses: cachix/cachix-action@v15
        with:

.gitmodules

@@ -1,3 +1,7 @@
 [submodule "libs/wire-message-proto-lens/generic-message-proto"]
 	path = libs/wire-message-proto-lens/generic-message-proto
 	url = https://github.com/wireapp/generic-message-proto
+[submodule "services/wire-server-enterprise"]
+	path = services/wire-server-enterprise
+	url = https://github.com/wireapp/wire-server-enterprise
+	branch = main

CHANGELOG.md

@@ -1,3 +1,76 @@
+# [2024-12-30] (Chart Release 5.9.0)
+
+## Release notes
+
+
+* POST /scim/auth-token request body allows you to choose an IdP UUID to associate with.  If none is given, do not associate.
+
+  **WARNING:** the new behavior differs from the old one when first creating a unique SAML IdP and then the SCIM token: before this release, this request would associate the two, now it doesn't. (#4349)
+
+* We changed the default MLS cipher suite from
+
+  - MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
+
+  to
+
+  - MLS_128_DHKEMP256_AES128GCM_SHA256_P256
+
+  and the allowed MLS cipher suites from only
+
+  - MLS_128_DHKEMX25519_AES128GCM_SHA256_Ed25519
+
+  to _only_
+
+  - MLS_128_DHKEMP256_AES128GCM_SHA256_P256.
+
+  ATTENTION: This breaks your MLS clients if they used the previous defaults before. This is even true if you allow several cipher suites, since current MLS clients only support _one_ cipher suite at a time.
+
+  [Adjust the defaults in the server configuration](https://github.com/wireapp/wire-server/blob/develop/docs/src/developer/reference/config-options.md#mls) to switch the values of `defaultCipherSuite` and `allowedCipherSuites` back to the previous defaults, `1` and `[1]`, respectively. Once MLS clients support several cipher suites, you could even use `[1,2]` or a list of other cipher suites in `allowedCipherSuites`. Make sure that this list contains the currently used cipher suite! (#4373)
+
+* This release contains a new Git submodule: `wire-server-enterprise`. This module represents a service which contains all non-open-source features. Wire can still be deployed and run without this service. Building it without `wire-server-enterprise` is currently not documented, but Wire will keep providing the artefacts.
+
+  The service can be deployed with a dedicated Helm chart (`charts/wire-server-enterprise`.) The required service image is not freely available (the registry is password protected.) (#4357)
+
+
+## API changes
+
+
+* The `client_id` query parameter of the `GET /events` endpoint is now optional. When not provided, events are returned from a temporary queue that's not bound to any specific client. The queue is deleted when the websocket disconnects. (#4360)
+
+
+## Features
+
+
+* You can now create both multiple SCIM peers and multiple SAML IdPs, and freely associate them with each other (team management app implementation pending). (#4349)
+
+* Internal API and backoffice support for managing email domains for enterprise login (#4364)
+
+
+## Bug fixes and other updates
+
+
+* Fix `gzip filter failed to use preallocated memory` alerts in nginz by upgrading (#4365)
+
+* Send team active event in personal user to team flow (#4380)
+
+* Add profile name to new team owner welcome mail (#4378)
+
+
+## Internal changes
+
+
+* Delete federation V0 and V1 queues after integration tests (#4374)
+
+* Stabilize `index migration` tests by fixing a race on index names. (#4382)
+
+* Adjust the existing Ormolu script to format the wire-server-enterprise submodule
+  as well. (#4377)
+
+* Revive and translate old integration test (#4387, #4386)
+
+* Translate integration test to new suite. (#4384)
+
+
 # [2024-12-11] (Chart Release 5.8.0)
 
 ## Release notes

cabal.project

@@ -40,6 +40,7 @@ packages:
   , services/galley/
   , services/gundeck/
   , services/proxy/
+  , services/wire-server-enterprise
   , services/spar/
   , tools/db/assets/
   , tools/db/auto-whitelist/

cassandra-schema.cql

@@ -245,9 +245,11 @@ CREATE TABLE brig_test.mls_key_package_refs (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
-CREATE TABLE brig_test.excluded_phones (
-    prefix text PRIMARY KEY,
-    comment text
+CREATE TABLE brig_test.oauth_client (
+    id uuid PRIMARY KEY,
+    name text,
+    redirect_uri blob,
+    secret blob
 ) WITH bloom_filter_fp_chance = 0.01
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''
@@ -432,6 +434,24 @@ CREATE TABLE brig_test.user_keys (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
+CREATE TABLE brig_test.excluded_phones (
+    prefix text PRIMARY KEY,
+    comment text
+) WITH bloom_filter_fp_chance = 0.01
+    AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
+    AND comment = ''
+    AND compaction = {'class': 'org.apache.cassandra.db.compaction.SizeTieredCompactionStrategy', 'max_threshold': '32', 'min_threshold': '4'}
+    AND compression = {'chunk_length_in_kb': '64', 'class': 'org.apache.cassandra.io.compress.LZ4Compressor'}
+    AND crc_check_chance = 1.0
+    AND dclocal_read_repair_chance = 0.1
+    AND default_time_to_live = 0
+    AND gc_grace_seconds = 864000
+    AND max_index_interval = 2048
+    AND memtable_flush_period_in_ms = 0
+    AND min_index_interval = 128
+    AND read_repair_chance = 0.0
+    AND speculative_retry = '99PERCENTILE';
+
 CREATE TABLE brig_test.mls_public_keys (
     user uuid,
     client text,
@@ -534,11 +554,14 @@ CREATE TABLE brig_test.federation_remote_teams (
     AND read_repair_chance = 0.0
     AND speculative_retry = '99PERCENTILE';
 
-CREATE TABLE brig_test.oauth_client (
-    id uuid PRIMARY KEY,
-    name text,
-    redirect_uri blob,
-    secret blob
+CREATE TABLE brig_test.domain_registration (
+    domain text PRIMARY KEY,
+    backend_url blob,
+    dns_verification_token ascii,
+    domain_redirect int,
+    idp_id uuid,
+    team uuid,
+    team_invite int
 ) WITH bloom_filter_fp_chance = 0.01
     AND caching = {'keys': 'ALL', 'rows_per_partition': 'NONE'}
     AND comment = ''

charts/brig/templates/configmap.yaml

@@ -368,5 +368,8 @@ data:
       setOAuthMaxActiveRefreshTokens: {{ .setOAuthMaxActiveRefreshTokens }}
       {{- end }}
       setPasswordHashingOptions: {{ toYaml .setPasswordHashingOptions | nindent 8 }}
+      {{- if .setAuditLogEmailRecipient }}
+      setAuditLogEmailRecipient: {{ .setAuditLogEmailRecipient }}
+      {{- end }}
     {{- end }}
   {{- end }}